improper invalidation of authorization sessions

Bug #1934518 reported by Heather Lemon
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mongodb (Ubuntu)
Trusty
Confirmed
Low
Unassigned
Bionic
Fix Released
Low
Unassigned
Focal
Fix Released
Low
Unassigned

Bug Description

CVE: https://ubuntu.com/security/CVE-2019-2386

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user’s session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

CVE References

tags: added: security
tags: added: ubuntu-security
removed: security
Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

cve-2019-2386 bionic improper invalidation of authorization sessions allows an authenticated user’s session to persist and become conflated with new accounts.

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

cve-2019-2386 focal improper invalidation of authorization sessions allows an authenticated user’s session to persist and become conflated with new accounts.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "CVE-2019-2386-bionic-20210702.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
tags: added: bug security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mongodb (Ubuntu Bionic):
status: New → Confirmed
Changed in mongodb (Ubuntu Focal):
status: New → Confirmed
Changed in mongodb (Ubuntu Trusty):
status: New → Confirmed
Changed in mongodb (Ubuntu):
status: New → Confirmed
Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

updated changelog and quilt headers to add CVE#

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

redo patch for bionic add CVE tags updated dch and quilt patch headers

Revision history for this message
Alex Murray (alexmurray) wrote (last edit ):

Was it intentional to remove python-requests from Build-Depends for focal? Also the version number should be 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.1 not 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu6 (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging) and ideally the changelog entry would be formatted as per the examples on that page, ie SECURITY UPDATE: xxxx (LP: #YYYY) etc

I'm happy to sponsor these and will make these small changes in the process. Thanks.

Revision history for this message
Alex Murray (alexmurray) wrote :

Ah I see, python-requests is not in focal anymore - all good. Thanks again.

Mathew Hodson (mhodson)
information type: Public → Public Security
no longer affects: mongodb (Ubuntu)
Changed in mongodb (Ubuntu Trusty):
importance: Undecided → Low
Changed in mongodb (Ubuntu Bionic):
importance: Undecided → Low
Changed in mongodb (Ubuntu Focal):
importance: Undecided → Low
Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

I am getting a build failure after integrating the changes from v3.4
https://github.com/mongodb/mongo/commit/64d8e9e1b12d16b54d6a592bae8110226c491b4e

Checking for mongoc_get_major_version() in C library mongoc-1.0... no
*** Run 'pip2 install --user regex' to speed up error code checking
DUPLICATE IDS: 40437
  src/mongo/bson/bsonelement.h:624:17:uassert(40437
  src/mongo/bson/bsonelement.h:655:17:uassert(40437
next id to use: 40679
debian/rules:45: recipe for target 'override_dh_auto_clean' failed
make[1]: *** [override_dh_auto_clean] Error 1
make[1]: Leaving directory '/root/userid-validate-CVE-2019-2386/mongodb-3.6.3'
debian/rules:74: recipe for target 'clean' failed
make: *** [clean] Error 2
dpkg-buildpackage: error: fakeroot debian/rules clean subprocess returned exit status 2
debuild: fatal error at line 1152:
dpkg-buildpackage -rfakeroot -us -uc -ui -S -i failed

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mongodb - 1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2

---------------
mongodb (1:3.6.9+really3.6.8+90~g8e540c0b6d-0ubuntu5.2) focal-security; urgency=medium

  [Heather Lemon]
  * SECURITY UPDATE: account session reuse leads to unauthorized access (LP: #1934518)
    - d/p/CVE-2019-2386-SERVER-38984-Validate-unique-User-ID-on-UserCache-hi.patch:
      Attach ID to users.
      After user deletion in MongoDB Server the improper invalidation of
      authorization sessions allows an authenticated user's session to
      persist and become conflated with new accounts
    - CVE-2019-2386

  [Alex Murray]
  * Refresh
    d/p/CVE-2019-2386-SERVER-38984-Validate-unique-User-ID-on-UserCache-hi.patch
    with the version from the 3.4 upstream branch that is still licensed
    under the AGPL.

 -- Alex Murray <email address hidden> Mon, 23 Aug 2021 17:01:06 +0930

Changed in mongodb (Ubuntu Focal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mongodb - 1:3.6.3-0ubuntu1.3

---------------
mongodb (1:3.6.3-0ubuntu1.3) bionic-security; urgency=medium

  [Heather Lemon]
  * SECURITY UPDATE: account session reuse leads to unauthorized access (LP: #1934518)
    - d/p/CVE-2019-2386-SERVER-38984-Validate-unique-User-ID-on-UserCache-hi.patch:
      Attach ID to users.
      After user deletion in MongoDB Server the improper invalidation of
      authorization sessions allows an authenticated user's session to
      persist and become conflated with new accounts
    - CVE-2019-2386

  [Alex Murray]
  * Refresh
    d/p/CVE-2019-2386-SERVER-38984-Validate-unique-User-ID-on-UserCache-hi.patch
    with the version from the 3.4 upstream branch that is still licensed
    under the AGPL.

 -- Alex Murray <email address hidden> Fri, 06 Aug 2021 12:08:41 +0930

Changed in mongodb (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

I'm unsubscribing the Ubuntu Sponsors team from this bug report given that Trusty is no longer a supported release and if it is supported in ESM that's not an archive an Ubuntu Sponsor would necessarily be able to upload to.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers